Forescout Cyber Weekly Roundup
February 8, 2019
The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- As Threats Proliferate, so do New Tools for Protecting Medical Devices and Hospitals (February 6, 2019)
Summary: The lack of medical device security and the growing number of healthcare-related breaches is driving innovation and new business opportunities to improve cybersecurity in the healthcare industry.
Why it matters: As is often the case, innovation outpaces regulation; although sometimes innovation ultimately inspires regulation. From the first FDA-approved ingestible sensor to closed-loop automated insulin delivery, which—interestingly—started with a Raspberry Pi and a hacked insulin pump and ultimately led to the Open Artificial Pancreas System Project (OpenAPS), the introduction of ‘connected’ medical devices has enabled tremendous advances in the medical field. However, we’ve also seen medical device recalls from the FDA, as well as proposed recommendations from the FDA to ensure medical device manufacturers are securing the devices. Many believe collaborative action between regulators and industry is needed to minimize cyber risk, but as this article points out, in the absence of regulation, a new wave of medical device-focused cybersecurity companies is emerging. Medcrypt, for example, claims that it can offer medical device manufacturers cybersecurity features in only a few lines of code. Interestingly, Medcrypt suggests that the FDA requires data encryption, signature verification and behavior monitoring in medical devices—all of which originate from the FDA’s 2013 Radio Frequency Wireless Technology in Medical Devices Guidance which does not establish legally enforceable responsibilities. As this new niche market takes root, it’s incredibly important for both medical device manufacturers and healthcare professionals to consider what’s really needed to secure their devices. If a manufacturer essentially outsources a portion of the software development to a startup healthcare security company, they’re also introducing another link in an already lengthy supply chain. And, if the manufacturer is willing to outsource security, the likelihood of having an in-house cyber expert to verify and validate the modified code on the device is probably pretty slim. To further complicate matters, in the event that the device is compromised, is the manufacturer at fault or is the outsourced cybersecurity company to blame? Ultimately, it’s the hospital using the device—and the patient connected to the device—who really suffer the consequences. Medical device regulation is certainly needed, but it’s also incumbent upon healthcare providers to assess and understand the risks associated with the devices they allow on their networks. Healthcare Delivery Organizations (HDOs) need to have methods in place to detect, profile and manage connected devices on their own terms. There is currently no requirement other than HIPAA that targets the security of medical devices, and that concerns the protection of data that devices transmit, not the operational integrity of those assets.
- Fewer Breaches in 2018, but More Sensitive Data Spilled (February 5, 2019)
Summary: A recent report suggests that reported breaches in the U.S. dropped 23 percent from 2017 to 2018; however, the number of exposed sensitive records increased 126 percent.
Why it matters: We predicted last year that major Public Health Information (PHI) breaches will continue, but the attacks will get more personal and creative. According to a KSN Report, ransomware declined by 30 percent last year. Malicious actors have shifted and matured their tactics from data theft, phishing and ransomware attacks to fraud, cryptomining and other methods. This recent report supports our prediction with the reported healthcare breaches, but it’s important to realize that the actual number of exposed records far exceeds the number of the breaches reported; and, the categorization and classification of compromise causes isn’t always accurately or consistently reported either. What that means is that the healthcare industry is struggling to understand the root cause of compromise—a critical step in preventing future breaches. Tracking lateral moves can be difficult, especially in flat healthcare networks that don’t employ network segmentation—they lack separation by function and VLANs tend to be assigned by hospital floor, as opposed to having parallel networks to separate and limit access. Network segmentation doesn’t just make it easier to track the point of entry after a breach, it also makes it easier to identify exposed endpoints and prevent a breach altogether. In order for the healthcare industry to turn the corner on data breaches, it’s critical that it pursue network solutions like segmentation and also standardize the manner in which new devices are added to the network, leveraging a detailed classification taxonomy to ensure that only approved devices are allowed on the network, and only approved users have access to the software, applications, and data they need. Troy Hunt explains his approach to understanding and verifying breaches when they hit, but the healthcare industry should follow a similar method to understand the source of compromise—verify sources, understand the breach structure and enumeration and look for patterns.
- To Improve Critical Infrastructure Security, Bring IT and OT Together (February 6, 2019)
Summary: As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace.
Why it matters: The convergence of Information Technology (IT) and Operational Technology (OT) will drive new competitive advantages and business opportunities and can result in reduced costs and improved efficiencies, but it also ushers in a host of additional risks that require mitigation. Historically, OT and IT have existed separately—each with separate business owners, support staff, and oversight. But as technology has advanced, and IoT devices have proliferated, IT and OT have become increasingly connected, with OT systems both benefiting and relying on IT. However, the governance that’s needed to ensure security simply hasn’t kept pace with the convergence. Bad actors have realized this opportunity and as a result, we’ve seen multiple attacks on critical infrastructure, such as the Ukrainian power grid attack, Russian probing of the U.S. power grid and Chinese intrusions into U.S. critical infrastructure, viewed by some as espionage and others as a sign of potential war. The U.S. has taken action to combat the threat, last year standing up the Cybersecurity and Infrastructure Security Agency (CISA), which just this week began an awareness briefing series on Chinese malicious cyber activity. However, one of the biggest hurdles that the U.S. has yet to overcome is determining the appropriate roles for responsibility and accountability with respect to the security of U.S. critical infrastructure. Roughly 85 percent of U.S. critical infrastructure is owned and operated by the private sector, and although many in the private sector agree government collaboration for better security is necessary, there has been reluctance to collaborate due to the implications of government regulation and oversight. The Department of Homeland Security (DHS) released the National Cyber Incident Response Plan (NCIRP), which focuses on how the U.S. can react to critical infrastructure attacks, but what’s needed is a definitive roadmap to a state of mutually agreed upon collaboration between the government and the private sector. In Australia, where more than 80 percent of critical infrastructure is privately owned, the government last year enacted the Security of Critical Infrastructure Act 2018, which requires a reporting entity and specific reporting requirements for operational information and interest and control information with penalties and fines for non-compliance. Sector Coordinating Councils perform a similar function in the U.S., but such reporting is not mandatory; however, by the conclusion of 2018, all 50 states enacted data breach notification laws, which captures critical sectors as well. What we can hope is that the U.S. will continue to mature its critical infrastructure strategy with a focus on response strategies, protection of access to critical data and risk management.
- Together for a Better Internet – on Safer Internet Day and Beyond! (February 5, 2019)
Summary: The second day of the second week of the second month of the year marks the annual, global campaign known as Safer Internet Day (SID).
Why it matters: Tuesday marked the 16th annual Safer Internet Day. Designed to raise awareness and encourage youth to use technology safely, responsibly, respectfully, critically and creatively, the campaign is also an equally relevant and important reminder for leaders, decision makers and end users across the globe. One can become easily jaded by the volume of data breaches and cyberattacks in the headlines nearly every day, but it’s important to remember the responsibility we have as adults to educate, inform and prepare today’s youth of both the benefits and risks enabled by technological advancement. For decades, children’s media use was mostly limited to television and music, but media statistics now show that by age eight, 96 percent of children have watched TV, 90 percent have used a computer, and 60 percent have played games or used apps on a portable device such as a smartphone, tablet, or gaming device. Mobile screen time for kids has spiked from only 4 percent in 2011 to 35 percent in 2017 and other studies have shown that 11 percent of eight to nine year olds have their own mobile phones—and that percentage spikes to 67 percent for 12 to 13 year olds. Because of the rise of connected device usage in the home, many schools have also opted for tablets as opposed to textbooks. In short, today’s youth are perpetually surrounded by technology. While there’s debate as to whether that will ultimately benefit those youth and better prepare them for the world of adulthood, or precipitately expose them to mature content, adults have a responsibility to vigilantly guide tomorrow’s IT leaders and decision makers and educate them on cybersecurity best practices. We saw a number of SID-related events this year, including the launch of a new cybersecurity academy for high school students in British Columbia, Google’s #SecurityCheckKiya campaign and UNICEF’s call to action to prevent cyberbullying and harassment.
- Zero Day Initiative Uncovers Multiple Vulnerabilities Impacting Major Industrial Automation Company (February 6, 2019)
Summary: A total of nine vulnerabilities affecting a major industrial automation company, Advantech, have been identified this week by the Zero Day Initiative (ZDI). Each is currently listed by ZDI as an upcoming advisory pending public disclosure.
Why it matters: Roughly a week after the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a critical advisory on Advantech WebAccess, ZDI disclosed nine additional vulnerabilities. Among them, eight have a Common Vulnerability Scoring System (CVSS) score of 9.8 (10 is the highest and most severe score possible). Such a high score in and of itself warrants attention from cyber responders, but it’s even more critical that these vulnerabilities are resolved because they reside within the software used by Supervisory Control and Data Acquisition (SCADA) systems—leaving the networks and systems used by industrial control systems operators open to potential malicious exploit. In short, SCADA systems are the human machine interfaces (HMI) used to monitor and control the vast majority of critical infrastructure—from power stations and waste water plants to telecommunications and transportation infrastructure. In last week’s roundup, we highlighted two additional vulnerabilities that, if exploited, could have a devastating impact on Security Operations Centers (SOCs). These nine new vulnerabilities, although similar, are much more complex. SCADA systems may use a custom version of embedded windows, for example, making it harder to patch and consequently more prone to exploit. Last year, ISC-CERT warned organizations using Advantech’s ICS products to install an update to resolve multiple vulnerabilities that, if exploited, could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system. Despite the slew of recently identified vulnerabilities—including others impacting AVEVA Indusoft and WECON—it’s actually a sign that product security is improving within the industrial technology space. The trend seems to be toward more research, investigation and general awareness of both the issues and the potential impact of each—resulting in more rapid development and release of vendor patches.